CVE-2026-20007 - Vulnerability Details

- Cisco Secure Firewall Threat Defense Software Snort Deep Inspection Bypass Vulnerability

Description

A vulnerability in the Snort 2 and Snort 3 deep packet inspection of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Snort rules and allow traffic onto the network that should have been dropped.

This vulnerability is due to a logic error in the integration of the Snort Engine rules with Cisco Secure FTD Software that could allow different Snort rules to be hit when deep inspection of the packet is performed for the inner and outer connections. An attacker could exploit this vulnerability by sending crafted traffic to a targeted device that would hit configured Snort rules. A successful exploit could allow the attacker to send traffic to a network where it should have been denied.

Published: 2026-03-04

Score: 5.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a logic error in how Cisco Secure Firewall Threat Defense integrates Snort 2 and Snort 3 deep packet inspection rules. An attacker can craft packets that trigger different Snort rule sets for the outer and inner connections, causing the engine to misclassify traffic that should be dropped. The result is that unwanted traffic can enter the protected network, potentially exposing sensitive data or facilitating further attacks.

Affected Systems

Cisco Secure Firewall Threat Defense (FTD) Software is impacted. All installations that use Snort 2 or Snort 3 for deep inspection within the FTD product are susceptible, regardless of version, unless a subsequent patch has been applied.

Risk and Exploitability

The CVSS score of 5.8 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the lack of listing in the CISA KEV catalog further indicates low external exploitation pressure. The flaw is exploitable remotely by an unauthenticated attacker who can send crafted traffic. Successful exploitation allows traffic that should be denied to pass through to the internal network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Secure Firewall Threat Defense (FTD) Software

unknown

Version	Status	Constraints
`6.4.0.1`	affected	—
`6.4.0.2`	affected	—
`6.4.0.5`	affected	—
`6.4.0`	affected	—
`6.4.0.3`	affected	—
`6.4.0.4`	affected	—
`6.4.0.6`	affected	—
`6.4.0.7`	affected	—
`6.4.0.8`	affected	—
`6.4.0.9`	affected	—
`6.4.0.10`	affected	—
`6.4.0.11`	affected	—
`6.4.0.12`	affected	—
`7.0.0`	affected	—
`7.0.0.1`	affected	—
`7.0.1`	affected	—
`7.1.0`	affected	—
`6.4.0.13`	affected	—
`7.0.1.1`	affected	—
`6.4.0.14`	affected	—
`7.1.0.1`	affected	—
`7.0.2`	affected	—
`6.4.0.15`	affected	—
`7.2.0`	affected	—
`7.0.2.1`	affected	—
`7.0.3`	affected	—
`7.1.0.2`	affected	—
`7.2.0.1`	affected	—
`7.0.4`	affected	—
`7.2.1`	affected	—
`7.0.5`	affected	—
`6.4.0.16`	affected	—
`7.3.0`	affected	—
`7.2.2`	affected	—
`7.2.3`	affected	—
`7.3.1`	affected	—
`7.1.0.3`	affected	—
`7.2.4`	affected	—
`7.0.6`	affected	—
`7.2.5`	affected	—
`7.2.4.1`	affected	—
`7.3.1.1`	affected	—
`7.4.0`	affected	—
`6.4.0.17`	affected	—
`7.0.6.1`	affected	—
`7.2.5.1`	affected	—
`7.4.1`	affected	—
`7.2.6`	affected	—
`7.0.6.2`	affected	—
`7.4.1.1`	affected	—
`6.4.0.18`	affected	—
`7.2.7`	affected	—
`7.2.5.2`	affected	—
`7.3.1.2`	affected	—
`7.2.8`	affected	—
`7.6.0`	affected	—
`7.4.2`	affected	—
`7.2.8.1`	affected	—
`7.0.6.3`	affected	—
`7.4.2.1`	affected	—
`7.2.9`	affected	—
`7.0.7`	affected	—
`7.7.0`	affected	—
`7.4.2.2`	affected	—
`7.2.10`	affected	—
`7.6.1`	affected	—
`7.4.2.3`	affected	—
`7.0.8`	affected	—
`7.6.2`	affected	—
`7.0.8.1`	affected	—
`7.6.2.1`	affected	—
`7.4.2.4`	affected	—
`7.2.10.2`	affected	—

No data.

Vendor Product Confidence Versions

Cisco

Secure Firewall Threat Defense

100%

Version	Status	Scheme	Platform
`6.4.0.1`	affected	generic	—
`6.4.0.2`	affected	generic	—
`6.4.0.5`	affected	generic	—
`6.4.0`	affected	semver	—
`6.4.0.3`	affected	generic	—
`6.4.0.4`	affected	generic	—
`6.4.0.6`	affected	generic	—
`6.4.0.7`	affected	generic	—
`6.4.0.8`	affected	generic	—
`6.4.0.9`	affected	generic	—
`6.4.0.10`	affected	generic	—
`6.4.0.11`	affected	generic	—
`6.4.0.12`	affected	generic	—
`7.0.0`	affected	semver	—
`7.0.0.1`	affected	generic	—
`7.0.1`	affected	semver	—
`7.1.0`	affected	semver	—
`6.4.0.13`	affected	generic	—
`7.0.1.1`	affected	generic	—
`6.4.0.14`	affected	generic	—
`7.1.0.1`	affected	generic	—
`7.0.2`	affected	semver	—
`6.4.0.15`	affected	generic	—
`7.2.0`	affected	semver	—
`7.0.2.1`	affected	generic	—
`7.0.3`	affected	semver	—
`7.1.0.2`	affected	generic	—
`7.2.0.1`	affected	generic	—
`7.0.4`	affected	semver	—
`7.2.1`	affected	semver	—
`7.0.5`	affected	semver	—
`6.4.0.16`	affected	generic	—
`7.3.0`	affected	semver	—
`7.2.2`	affected	semver	—
`7.2.3`	affected	semver	—
`7.3.1`	affected	semver	—
`7.1.0.3`	affected	generic	—
`7.2.4`	affected	semver	—
`7.0.6`	affected	semver	—
`7.2.5`	affected	semver	—
`7.2.4.1`	affected	generic	—
`7.3.1.1`	affected	generic	—
`7.4.0`	affected	semver	—
`6.4.0.17`	affected	generic	—
`7.0.6.1`	affected	generic	—
`7.2.5.1`	affected	generic	—
`7.4.1`	affected	semver	—
`7.2.6`	affected	semver	—
`7.0.6.2`	affected	generic	—
`7.4.1.1`	affected	generic	—
`6.4.0.18`	affected	generic	—
`7.2.7`	affected	semver	—
`7.2.5.2`	affected	generic	—
`7.3.1.2`	affected	generic	—
`7.2.8`	affected	semver	—
`7.6.0`	affected	semver	—
`7.4.2`	affected	semver	—
`7.2.8.1`	affected	generic	—
`7.0.6.3`	affected	generic	—
`7.4.2.1`	affected	generic	—
`7.2.9`	affected	semver	—
`7.0.7`	affected	semver	—
`7.7.0`	affected	semver	—
`7.4.2.2`	affected	generic	—
`7.2.10`	affected	semver	—
`7.6.1`	affected	semver	—
`7.4.2.3`	affected	generic	—
`7.0.8`	affected	semver	—
`7.6.2`	affected	semver	—
`7.0.8.1`	affected	generic	—
`7.6.2.1`	affected	generic	—
`7.4.2.4`	affected	generic	—
`7.2.10.2`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Cisco Secure Firewall Threat Defense patch that corrects Snort rule integration.
Verify that Snort deep packet inspection is actively enabled after patch application.
Continuously monitor firewall logs for unexpected traffic patterns, and consider temporarily limiting or disabling Snort rules on critical interfaces if suspicious activity persists.

Generated by OpenCVE AI on April 16, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort-bypass-rLggKzVF

History

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco secure Firewall Threat Defense
Vendors & Products		Cisco Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the Snort 2 and Snort 3 deep packet inspection of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Snort rules and allow traffic onto the network that should have been dropped. This vulnerability is due to a logic error in the integration of the Snort Engine rules with Cisco Secure FTD Software that could allow different Snort rules to be hit when deep inspection of the packet is performed for the inner and outer connections. An attacker could exploit this vulnerability by sending crafted traffic to a targeted device that would hit configured Snort rules. A successful exploit could allow the attacker to send traffic to a network where it should have been denied.
Title		Cisco Secure Firewall Threat Defense Software Snort Deep Inspection Bypass Vulnerability
Weaknesses		CWE-284
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort-bypass-rLggKzVF
Metrics		cvssV3_1 `{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}`

Subscriptions

Cisco Secure Firewall Threat Defense

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-04T17:37:54.913Z

Updated: 2026-03-04T20:51:22.783Z

Reserved: 2025-10-08T11:59:15.349Z

Link: CVE-2026-20007

Vulnrichment

Updated: 2026-03-04T20:51:19.421Z

NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:14.063

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20007

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object